Researcher Shares macOS Exploit with Apple Despite No Bounty

Apple's market cap fluctuates around $1 trillion. The company had $245 billion cash on hand in the first quarter of 2019. Yet it doesn't offer a macOS bug bounty, which means the researcher who discovered a flaw in Keychain Access had to decide if they would be willing to share their findings without any compensation.

The researcher, Linus Henze, publicly revealed his KeySteal exploit on February 6. He said at the time that he wouldn't share information about the exploit with Apple to protest the lack of a macOS bug bounty program. Henze seems to have had a change of heart, though, as he explained in his most recent tweet:

"I’ve decided to submit my keychain exploit to @Apple, even though they did not react, as it is very critical and because the security of macOS users is important to me," he said. "I’ve sent them the full details including a patch. For free of course." Apple still has yet to publicly acknowledge the KeySteal exploit.

The replies to that tweet are filled with people bemoaning Apple's decision not to compensate macOS vulnerability disclosures, offering to pay Henze themselves, or encouraging him to sell the information to another company. Many people have also been less than pleased about Apple's silence throughout this entire process.

These concerns arrived shortly after a major vulnerability let anyone remotely enable someone's microphone, and in some cases their camera, by exploiting a flaw in group FaceTime calls. Apple quickly disabled the feature and released a patch for the problem, but questions remained about the company's disclosure process.

Many tech companies have started bug bounty systems for exactly these reasons. Instead of expecting researchers to share their findings out of the goodness of their hearts, or requiring them to sign up for developer accounts, the companies establish clear bounties for different kinds of vulnerabilities anyone can submit.

Offering such a program for macOS would let Apple learn more about new vulnerabilities quickly and discreetly. It would also help ease concerns following KeySteal's revelation and the company's response to the FaceTime flaw.